"Remote Removal
F-Secure can confirm that the remote removal method found by Joe Stewart of Lurhq does indeed work.
Sending a specific byte sequence to port 6777 on the infected computers causes the worm to delete itself from the System Directory and terminate its process. The registry values are not removed but since the file does not exist Windows will ignore those.
The byte sequence to be sent:
0x43 0xff 0xff 0xff 0x00 0x00 0x00 0x00 0x04 0x31 0x32 0x00
Please note that the usage of this method agains someone else's computers might be legally questionable."

F-Secure notes above that using this method is legally questionable when run against someone elses computer. Putting aside the legality of this method (although anyone who has worked in "cyber" law please comment) I am curious if the community thinks the method is morally acceptable.

October 25th, 2006, 10:15 PM

deftones12

i could see going in remotely and removing the worm being questionable, because you would be gaining access.
but how is sending a specific 'byte sequence' to a certain port questionable or "gaining access"? its basically no different than pinging another machine, you're just doing it with a certain byte sequence, or at least thats what i understood from readin that.
maybe i'm missing something.

October 25th, 2006, 10:20 PM

nihil

Basically you should not use a remote tool against a computer that you do not own or administer.

There have been one or two of these that were badly written and caused more problems than they solved:eek:

If you wrote something like that you would be in big trouble no matter how honourable your intentions.

I don't think that it is worth the risk.

October 25th, 2006, 10:21 PM

dalek

Quote:

F-Secure notes above that using this method is legally questionable when run against someone elses computer

By aknowledging that what they are doing can and could be considered illegal, then why are they doing it? what's the point, and the reverse is true, if they can remove remotely then they can also add remotely which is the principle of the idea, so they shouldn't do it without the owners approval.JMO :cool:

October 25th, 2006, 10:33 PM

phishphreek

It depends... What protocol does it use? UDP? You're not establishing a connection, so technically you're not gaining access. If it is TCP, then you'd be establishing a connection and thus unauthorized access.

If it was UDP, the tool could simply "spoof" the src address so there would be no "proof" of who sent the sequence. (well, depending on how the ISPs routers are setup)

It's not like you're installing a tool to uninstall it. You're executing a built in command but doing so in a way that you don't connect to it?

October 25th, 2006, 10:38 PM

nihil

Hmmmm,

I think we need to be a bit careful in our definitions. I would guess that such an action was not strictly "immoral" or "unethical" as the intentions are not malicious.

However, as the activity is not authorised, it could well be technically illegal, depending on your local legislation.

October 25th, 2006, 10:39 PM

stevel

dalek,

The above information taken from F-Secure was their analysis of the worm. F-Secure was not remotely removing the virus. I've edited the post adding a link to the page I quoted.

October 25th, 2006, 10:51 PM

dalek

Quote:

Originally Posted by stevel

dalek,

The above information taken from F-Secure was their analysis of the worm. F-Secure was not remotely removing the virus. I've edited the post adding a link to the page I quoted.

Tks for clearing that up...;)

Okay, after reading this, I would assume it's on private networks we are talking about, and if so, then admins can certainly go ahead and use it to catch any of the infected PC's on a network. Is that how it plays out, if so then the legalities are moot?

Quote:

Good morning.
The following forwarded message is from Joe Stewart to TH-Research (The Trojan Horses Research Mailing List).
In it Joe explains of a way for admins (or anybody really) to easily and massively remove Bagle infections from their networks.
There are other ways to do this, but this is the most simple that I saw thus far.

Thanks again to Joe for all his work.
Drop him a thank-you note if this helps you, he's a good guy!
Gadi Evron

If you can't wait till January 28, Bagle has a remote uninstall command
which can be sent over port 6777, the port also used to upload the
second stage.
For instance, using perl and netcat, you could send the uninstall
command with the one-liner below:
perl -e 'print "\x43\xff\xff\xff\x00\x00\x00\x00\x0412\x00"' \
| nc infected_host_IP 6777
When the command bytes above are received by an infected host, the virus
will exit and delete its executable (using a batch script after the
fact). The registry keys are not removed.
-Joe

I was thinking more along the lines of using this against a machine outside your network. For instance if your users were getting spammed with email virus from an infected machine outside of your network and the infected machine is not behind a firewall, is it acceptable to use this remote removal technique?

It is an open port with a "service" running on it. You would not be manipulating the software to function outside of its intended purpose... I'm thinking it is acceptable.

October 26th, 2006, 08:04 AM

nihil

Yeah, someone else's port, service and hardware.

Check out the nachi/welachia worm if you want to see what happens when people meddle where they should not.

If it is not your equipment and your network you really don't know what on Earth is going on on it, and you would not have tested your "solution" on it. I am sure all the sysadmins here would really love someone doing that:D